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(57) Abstract 



A unique electronic cash (14) system protects the privacy of users (12) in legitimate transactions while at the same time enabling the 
detection (32) of a double spender of the same electronic coin (14). The electronic cash system takes advantage of a unique property of El 
Gamal signatures to achieve these results. 
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EFFICIENT ELECTRONIC MONEY 

♦ 

5 Related Application 

This is a continuation-in-part of U.S. Patent Application 
Serial No. 08/201,106 filed on February 23, 1994 for Y . Yacobi 
and assigned to the assignee hereof. 
Field of the Invention 

10 The present invention relates to electronic money, 

specifically, to a form of electronic money which is the 
electronic equivalent of cash. The invention provides a form of 
electronic money which deters double spending of a specific 
electronic coin, while at the same time protecting the privacy of 

15 payers (spenders) and payees (recipients) in cash transactions. 

Background of the Invention 

Electronic money (e-money) comes in the same forms as 
ordinary money. For example, there are electronic equivalents of 

20 checks (e-checks) and electronic equivalents of cash (e-cash) . 

Electronic checks are easier to implement than electronic 
cash. In a paper check, the most important component is the 
user's signature. This signature is supposed to insure the 
correctness of an obligation to transfer a certain amount of 

25 money from the signer ("payer") to a specified payee. In 

addition, certain properties of the paper of which the check is 
made are designed so that changes to the content of the paper 
check will be noticeable. All of these properties are inherent 
to digital signatures (see e.g., W. Diffie, M. Hellman, "New 

30 Directions in Cryptography" IEEE Trans. IT. 1976 and R. Rivest, 
A. Shamir, and L. Adelman, "A Method for Obtaining Digital 
Signatures and Public Key Cryptosystems" , CACM, vol. 21, 1978, 
pp. 120-126) . Thus, it is straightforward to implement digital 
checks. Similarly, it is easy to implement digital credit cards. 
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A digital signature in this case indicates the authenticity of 
the user and the user's consent to a particular transaction. 

It is harder to create the digital equivalent of cash. (For 
a discussion of e-cash, see e.g., D. Chaum, et al . "Untraceable 
Electronic Cash", Proc. Crypto 1988, D. Chaum "Achieving 
Electronic Privacy" Scientific American, August 1992, pp 96-101, 
S. Brand "Electronic Cash Systems Based on the Representation 
Problem in Groups of Prime Order" Proceedings of Crypto '93 Santa 
Barbara 1993 pp 26-26.15; S. Even et al . "Electronic Wallet" 
Proc. Crypto '83). The main problem is this. Suppose that a 
bunch of digital bits represents a coin. What can prevent the 
payer from double spending the digital coin? 

Two approaches have been used in the prior art to resolve 
this problem. Prevention and after the fact detection. For 
example, to prevent double spending, tamper resistant devices may 
be used. Such devices, called electronic wallets (e-wallets) or 
money modules, store a user's balance in a manner so that even 
the owner of the device cannot illegally modify the balance. A 
balance on one of these money modules can change if two such 
devices "agree" to a specified transaction, whereby one money 
module (the payer) agrees to pay X dollars to another money 
module (the payee) . In this case, the balance in each money 
module is changed so that the sum of the two balances remains 
unchanged. A transaction between a bank and a user is similar 
except that it involves additional steps such as moving money 
from the user's checking account into the user's money module 
where the money now becomes e-cash. The use of tamper -resist ant 
devices, i.e. money modules, to prevent the double spending of 
e-cash is preferred by banks because banks want to prevent double 
spending, not detect double spending after such double spending 
occurs . 

However, it is impossible to create a 100% tamper proof 
money module type device. It is only a question of resources 
devoted to reverse engineering and description, etc. If by 
unwrapping one money module one could forge ten million dollars, 
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then it makes economic sense (but not moral sense) to invest one 
million dollars to penetrate the money module. There is a 
spectrum of tamper-resistant technologies that range in price and 
quality and some economic optimum must be reached. 

This optimum is less expensive if a second line of defense 
can be added. Such a second line of defense might be the use of 
a process which provides for after the fact exposure of the 
double spender. 

Another issue that arises in connection with the use of 
e-cash is privacy. For large transactions (e.g. buying a house), 
traceable forms of e-money such as e-checks can be used. Usually 
these kinds of transactions are not viewed as secret transactions 
and usually the parties want evidence as to these transactions. 
Electronic cash (e-cash) is generally used for smaller daily 
transactions (e.g. buying groceries and buying newspapers, etc.). 
A user would not want a government or large private agency (e.g. 
a bank) to be able to constantly know his/her whereabouts and the 
details of daily purchases based on the payment of e-cash to 
various payees. Thus, after ordinary legitimate uses, the 
identity of an e-cash spender should not be traceable. On the 
other hand, the e-cash system should enable detection of the 
identity of a double spender of the same e-coin. 

It is an object of the present invention to provide e-cash 
or e-coins with certain highly desirable characteristics. The 
characteristics include the following: 

1. Once a bank detects double spending (i.e. the same e- 
coin is deposited twice) , the bank should have enough 
information to efficiently expose the identity of the 
double spender. However, one legitimate deposit of a 
particular e-coin should not provide the bank with 
enough information to compute the identity of the 
person who paid the particular e-coin to the depositor. 

2 . The e-cash should be useable in the following 
transactions; (a) payment from payer to payee without 
revealing identity of payer, (b) deposit of money into 
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the bank by the payee without revealing the identity of 
the payer, (c) an exchange transaction wherein a 
depositor gets a certain amount of fresh money from the 
bank in exchange for depositing the same amount of old 
5 money into the bank without revealing his/her identity, 

and (d) withdrawal from the bank. 
3. The system should be efficient. Specifically, the 

system should require as few real time operations as 
possible during transactions, especially at the money 
10 modules used by individual users as the money modules 

have limited processing power. As many operations as 
possible should be done in advance of and apart from 
the transactions which take place in real time. 
The present invention provides an e-cash system which has 
15 these advantages. 

The e-cash system of the present invention relies on certain 
prior art techniques. These prior art techniques are described 
below: 

A. Public Key Cryptography 

20 In a typical public key cryptographic system, each party i 

has a public key Pi and a secret key Sj . The public key F i is 
known to everyone, but the secret key Si is known only to party 
i. A clear text message m to user i is encrypted to form the 
cipher text message c using a public operation P which makes use 

25 of the public key P A known to everyone, i.e., c^PlnwPJ. The 
cipher text message c is decrypted using a secret operation S 
which makes use of the secret key S i# i.e., m=S{c,S { ) . Only the 
party i which has the secret key Sj can perform the secret 
operation to decrypt the encrypted message. 

30 Public key cryptographic techniques may also be used for 

authentication. If it is true that P(S (m, , P t ) = m, then the 
owner of the corresponding keys P i; Si could sign message m by 
producing s=S(m, S^, where s indicates the signature. The 
verifier, given m and s will verify m=P(s / P i ) . A signature 

35 system could be used for verification as follows: Challenge the 
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party claiming to be i with message m and ask the party to sign 
the message m using his secret key S,, then verify the signature 
using P; . 

An example of a public key cryptographic technique is the 
5 well known RSA technique . In accordance with this technique, a 
party i has a public key in the form of an exponent e and modulus 
N and a secret key in the form of an exponent d. Thus, a party 
with a message to send to party i encrypts the message m to form 
cam- mod N. The party i can then decrypt c to obtain m by 
10 performing the operation m=c d mod N. 

Another public key crytographic technique is the Rabin 
modular square root. In this technique, the. secret operation 
involves obtaining a modular square root and the public operation 
involves a modular squaring operation. 

15 

B. EL Gamal Signature Scheme 

Let P; and S 4 be the public and secret keys of user i, where 

Pi = a si mod p, where p is a large prime or a product of large 
20 primes, and a is a generator in Z* p . An El-Gamal signature by 
user i, on message m is an ordered pair s=(u,v), for which 

Pi u . u v = a!" mod p 

(1) 

25 Thus a recipient of a signature can easily verify it. To create 
a signature, user i chooses a random number r, and computes 
u = a r mod p. From eq (1) it follows that: 

Si . u + r . v = m mod p - 1 (2) 

30 Hence i, who is the only one who knows S lf can compute v, 

provided gcd(r,p - 1) = 1. The El Gamal signature scheme is 
disclosed in T. El Gamal "A Public Key Cryptosystem and a 
Signature Scheme Based on Discrete Logarithms", IEEE Trans IT, 
Vol. IT-31, No. 4, July, 1985, pp. 469-472. 
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The El-Gamal signature system has the curious property that 
if the signer i tries to use the same r twice to sign two 
different messages, then these two signatures expose his secret 
key To see how double use of r exposes S if note that from 

5 eq (2) that 

Sj . u+r . v l = m l mod p-1; Si . u+r.v 2 h m 2 mod p-1 (3) 

Hence, 

r ( v } -v 2 ) = (mj- m 2 ) mod p-1 

(4) 

10 If gcd (v 5 - v 2/ p-1) = 1, anybody knowing the messages m a , 

m 2 and their signatures (u,Vj), (u / v 2 ) can find r, and if 
gcd (v, p-1) =1/ then Si can be computed. This unique property of 
the El Gamal signature scheme is used as the basis for an e-cash 
system according to the invention in which the identity of a 

15 double spender of a particular e-coin is exposed. Other 

signature schemes such as NIST, DSS and Schnorr also have the 
property that if two distinct messages are signed using the same 
random element (e.g. r) , then the secret key of the signer can be 
computed by anyone having the message, the signature and public 

20 information such as the public key of the user. 1 Signature 
schemes with this property belong to the El Gamal family of 
signature schemes. 

C . Blind Signature 

25 The idea of a blind signature is to mimic a situation in 

which a person signs a closed envelope. The envelope includes 
some document and a carbon paper, so that the signature appears 
(via the carbon paper) on the document, without the signer 
knowing the contents of the document. The recipient can later 

30 fetch the signed document from the envelope. This seemingly 

bizarre idea proves very helpful in establishing nontraceability . 
A blind signature may be implemented using RSA as follows. The 
signer is associated with N,e,d (public modulus, public exponent, 
and secret exponent, respectively) . The secret message to be 

35 signed is m. The recipient picks a random x e Z* N , and presents 
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a "message-in-envelope" c s x e . m mod N to the signer, who signs 
it, i.e. computes c d e x. m cl mod N, from which the recipient, and 
only the recipient (who knows x) , can compute the signed message 
m d s= c d x" 1 mod N. 

The public key cryptography techniques described above are 
used to provide a unique e-cash system according to the 
invention, 

SUMMARY OF THE INVENTION 

In accordance with an illustrative embodiment of the present 
invention, an e-cash system has four players. These are a 
certification authority, a bank, a payer also known as user i, 
and a payee also known as user j. There are six basic operations 
which may be carried out in the e-money system. These are: 
Initial Certificate, Receipt Certificate, Withdrawal, Payment, 
Deposit and Exchange. The elements of the e-money system of the 
present invention and the operations are discussed below. 

Public Key and Secret Key 

A user i has a public key, where for example, P £ = a si mod 
p, where a and p are universally known. Si is a secret key of 
the user i. The secret key S { includes the identity of the 
user i. Illustratively, Si is a concatenation of the user's name 
Ii and a string of random bits R t known only to the user i, i.e., 
Si = di, Ri) . Alternatively, the secret exponent key S 4 may 
include multiple copies of Ij. It should be noted that P t and S x 
are El Gamal public and secret keys respectively. As is shown 
below, this feature is important for detecting the identity of a 
double spender of a particular e-coin. 

Alternatively, P A and S 4 are El Gamal public and secret keys 
and may be keys from a different signature scheme in the El Gamal 
family of signature schemes. However, it is desirable for S* to 
contain the user's identity I t . 



Certification of the Public Key 
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The user may also have a certificate of the public key Pi. 
A certificate of a public key is a linkage between a user's 
identity Ij and the user's claimed public key P t . In the 
present invention, this certificate is a proof that the public 
key Pi is legitimate and that the user's identity is embedded in 
the exponent or otherwise embedded in the public key. The 
certificate is, for example, a signature (e.g. an RSA signature) 
of a trusted authority on f(Pj, 0 T ) , where 0 Y denotes a run of y 
zeros. The certificate of ? i is illustratively computed off -off 
line. The use of the function f is entirely optional. Thus, in 
some embodiments of the invention f (P^O 7 ) = {F it 0 y ). In other 
embodiments of the invention, f is a publicly known collision 
free has function. Specifically, let 1 (p) = log < (p)Y- L et £ = 
{0,l} 1(p) and f: I -) L be a publicly known collision free one way 
has function. (Sometimes f is used for £ = {0,1} 1(p2) and this is 
clear from the context. 

As used herein the term "off-off line" designates operations 
which are performed rarely. Specifically, the term "off-off 
line" designates operations which may be performed once and whose 
results are used in many real time operations. The "off-off 
line" operations are to be contrasted with "off-line" operations 
which are used in on/off line digital signature schemes. In an 
on/off line digital signature scheme, for each real time digital 
signature to be performed, as much of the computation as possible 
is performed ahead of time to reduce reial time computation. The 
computations performed ahead of time for each real time digital 
signature are referred to as "off-line" computations. There is a 
one-to-one correspondence between a set of "off -line" 
computations and a real time digital signature. In contrast, 
there is no one-to-one correspondence between "off-off" line 
computations and a real time operation. Rather, the results of 
an "off-off line" computation can be used in many subsequent real 
time operations. The use of "off-off line 1 ' operations is a 
unique feature of the present invention. It is a significant 
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advantage of the invention, that the secret key Pj and its 
certificate can be computed "off-off line". 

The certificate is obtained as follows. A candidate 
certificate f (P lf 0 Y ) is blinded by computing 
5 Z = x ec f (Pi, 0 T ) mod N c/ where x is a random number, e c is the 

public RSA exponent key of a trusted certificate authority, and 
N c is a public modulus of the certificate authority. The 
quantity Z is then transmitted from the user i to the certificate 
authority. 

10 The user i then proves to the certificate authority that P { 

has been properly formatted, i.e., that the secret key Si in the 
exponent of Pi includes the user identity I 5 . This proof is can 
be accomplished without revealing P 4 to the certificate authority 
so that the certificate authority cannot correlate and Pj for 

15 the user i. If the certificate authority is able to correlate I { 
and Pj, then the certificate authority will be able to gain 
knowledge of all the transactions performed by user i using 
e-cash. In the present invention, the identity of the user is 
exposed only when a coin is double spent. To prevent such a 

20 correlation, the candidate certificate is blinded before it is 
sent to the certificate authority. One technique which can be 
used to perform the proof is known as a zero-knowledge proof (see 
Goldreich, Micali, and Wigderson, Proofs that yield nothing, but 
their validity, or All languages in NP have zero-knowledge proof 

25 systems. J. of the ACM, 38: 691-729, 1991 and Goldwasser, Micali, 
and Rackoff, The knowledge complexity of Interactive proof 
systems, SIAM J. on Computing, 181, 1989, pp. 186-208, the 
contents of which are incorporated herein by reference) . A zero 
knowledge proof can be used here because all of the predicates 

30 used in the proof are NP (Non-deterministic polynomial time) . 

Another proof technique is to a "cut-and-choose" technique. The 
latter technique is discussed in detail below. 

Assuming the proof is acceptable to the certificate 
authority, the certificate authority computes Z dc , where d c is the 

35 secret RSA exponent key of the certificate authority. Z dc is 
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then transmitted from the certificate authority to the user i, 
who then computes the certificate cert(i) = Z dc /x = f(P i# 0 Y ) dc mod 
N c . In short, the user i gets a certificate from the 

certificate authority that establishes a linkage between I 5 and 
5 However, in contrast to ordinary certificates, this linkage 

is hidden. The user identity I 4 is embedded in the discrete log 
of the public key Pi and is only exposed when there is double 
spending of a coin. Note that the certificate cert(i) may be 
periodically refreshed using off -off line computations. 

10 

Format of e-coin 

In general, a coin includes a certified linkage between a 
public of a user and a random element. In accordance with an 
illustrative embodiment of the present invention, a coin of user 

15 i is represented by (Pi, u C) where the certified linkage C = 
f (Pi, u, 0 Y ) d$ mod N s , where u = a r mod p, where r is a random 
element and is chosen by i and known only to i, 30 < y < 50, d $ 
is a bank's RSA secret exponent for coins of a particular 
denomination, and N s is the RSA modulus of the bank. The key Pi, 

2 0 the value u, the modulus N s , and the public RSA exponent e $ 

(corresponding to the secret RSA exponent d $ ) are known publicly. 
Each coin of user i has a different value of the random element 
r, but the same Pj is used in many coins. 

The following on-line (i.e. real time transactions) can be 

25 performed using the e-cash of the present invention. 
1 . Payment 

The payer i transmits a coin (P^UtO , where the 
certified linkage C s f (p i# u, 0*) d$ mod N $ to the payee j. The 
payee j verifies the bank's signature by verifying C e$ = (Pi u, 
30 O 7 ) mod N s . If the banks' signature is correct, the payee j 

challenges the payer i to sign a random message m using (P A , u) 
embedded in the coin using an El Gamal signature or some other 
signature from the El Gamal Family. The payer i computes the El 
Gamal signature s=(u,v) and transmits the signature to the payee 
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j. The payee j then verifies the El Gamal signature. The payee 
j now stores the coin. 

In short, in the payment operation the payer sends a coin 
(certified linkage between a public key and a random element) to 
5 a payee. The payee verifies the certificate which illustratively 
is a banks signature. The payee then challenges the payer to 
sign a message m using a signature scheme for the El Gamal 
family, using the public key and random element embedded in the 
coin. The payee then verifies the signature. 

10 2 . Deposit 

Suppose the payee j wants to deposit the coin C 
{Pi ,01,0 in the bank. The payee j transmits the coin (P if u,C) 
and the El Gamal signature (u,v) of the payer i to the bank. The 
message m that was signed by payer i is also transmitted to the 

15 bank. The bank verifies the coin by verifying that C e$ = f {P d , u, 
O 7 ) mod N $ . 

The bank maintains a list of deposited coins (P l , u, C Y ) and 
corresponding El Gamal signatures (u,v) and messages m. 

The bank then compares the coin currently being deposited 

20 with the coins in the list. If there is a duplicate, using 

equations (2) and (3) above, r and Si can be determined. From 
Si, the identity Ii of the double spender is exposed. If there 
is no duplicate, the coin is added to the list and the balance of 
the payee j is updated. The list of coins will not grow 

25 endlessly if an expiration date is embedded in the coins. 

In short, in the deposit operation, the payee transmits the 
received coin and the payer's El Gamal family signature to the 
bank. The bank verifies the coin and then compares the coin to a 
list of previously deposited coins to see if the coin was 

30 deposited in the past. If the coin was deposited in the past, 

the bank is able to determine the identity of the double spender. 
Specifically, the bank would have received two El Gamal family 
signatures on two different messages but using the same random 
element . 

35 

11 
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Exchange of Old Money for New 

instead of the payee j simply depositing the coin received 
form the payer i, the payee j can deposit the coin C at the bank 
and ask for new coins of the same total value in return. The 
deposit routine as described above is performed and a check is 
made for double spending but no change is made to j ' s balance. 
The payee j transmits to the bank a non-blinded certificate 
(Pj/O 7 )* 5 mod N c which then verifies P j . For each requested coin, 
the payee also sends to the bank u = oc r ' mod p of his choice. 
The user j gets back from the bank C = f (P^, u, (T) dS mod N s . The 
exchange transaction is a feature of the present invention which 
is not found in prior out e-money systems. 

In short, in the exchange operation, a payee deposits old 
coins in the bank and gets fresh coins in the same total value 
from the bank. The payee does reveal his/her identity to the 
bank and the linkage (user, coin) is not known to the bank. 
Withdrawal 

Another operation which can be performed is a withdrawal 
operation. According to this operation, the user i establishes 
communication with the bank and authenticates himself /herself 
with the bank. The user i presents a candidate blinded coin 
w s x eS f (Pi, u, 0 T )mod N s on which it is desired to obtain the 
banks RSA signature. The user also proves to the bank (using a 
zero knowledge proof, or cut-and-choose proof, for example) that 
P s is properly structured without revealing the key Pj to the 
bank so that the bank cannot correlate the user i with Pj . The 
bank deducts the value of the coin from the user's balance. The 
bank then returns w** mod N$, from which the user can compute a 
coin 

(P lf u,C), where the certified linkage C =f(P i( u, 0*)** mod N $ . It 
is expected that the exchange operation will be used more 
frequently than the more complex withdrawal operation. 

In short, in the withdrawal operation a blinded linkage 
between a public key (e.g. Pj) and a random element (e.g. u) is 
transmitted to the bank. Blinding is used because the user's ID 

12 
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(e.g. Ij) is exposed to the bank. The bank verifies that P i is 
properly structured (i.e. the user's identity I s (reembedded 
therein) . The bank then signs the blinded linkage and returns 
the signed blinded linkage to the user who then computes a coin. 
5 The inventive e-cash system disclosed above has a number of 

significant advantages. The system is simple from the 
computation and communication point of view. The number of real 
time operations is limited and the most complex operations are 
performed off -off line. The inventive e-cash scheme protects the 
10 privacy of the user while permitting exposure of the identity of 
a double spender. 

Brief Description of the Drawing 

Fig. 1 schematically illustrates a network in which the 
15 e-cash scheme of the present invention may be utilized. 

Fig. 2 schematically illustrates a payment operation using 
e-cash in accordance with the present invention. 

Fig. 3 schematically illustrates a deposit operation using 
the e-cash system of the present invention 
20 Fig. 4 schematically illustrates an exchange operation using 

the e-cash system of the present operation. 

Fig. 5 schematically illustrates a withdrawal operation 
using the e-cash system of the present invention. 

Fig. 6 schematically illustrates an operation for generating 
25 an initial certificate of a public key of a user in accordance 
with the invention. 

Fig. 7 schematically illustrates an operation for refreshing 
a certificate of a public key in accordance with the invention. 

Fig. 8 and Fig. 9 illustrate a cut-and-choose technique used 
30 to prove the Pi is properly structured in the initial certificate 
and refresh certificate operations of the present invention. 

Detailed Description of the Invention 
A. The Network Environment 

13 
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Fig. 1 schematically illustrates a network 10 in which the 
e-cash of the present invention may be utilized to perform a 
variety of transactions. The network 10 includes a plurality 
electronic e-coin processing units such as money modules 
5 belonging to users, one or more banks, and a certificate 
authority . 

Illustratively, the network 10 of Fig.l includes a first 
portable money module 12 belonging to the user i and a second 
portable money module 14 belonging to the user j . The money 

10 module 12 includes a CPU (e.g., a microprocessor) 16 and a memory 
18. The money module 14 includes a CPU 20 and a memory 22. The 
money module 12 may be temporarily connected via a line 24 to the 
public switched telephone network 26. The money module 14 may 
also be temporarily connected via a line 28 to the public 

15 switched telephone network 26. Conventional modems (not shown) 
connect the money modules 12,14 to the lines 24,28. 
Alternatively, the money modules may be connected to the public 
switched telephone network via wireless radio channels . 
Illustratively, the public switched telephone network 26 is an 

20 ISDN (Integrated Service Digital Network) . The money modules 12 
and 14 can communicate with each other via the public switched 
telephone network 26. 

Alternatively, a wireless connection 30 can be established 
between the money modules 12 and 14. The wireless connection 30 

25 may be established in a cellular network or rely on a direct 

radio link through the atmosphere between the two money modules, 
A wireless infrared link may also be established between the two 
money modules. 

It should be noted that the CPU's 16 and 20 of the money 
30 module 12 and 14 have limited processing power. In addition, the 
memories 18 and 22 of the money modules 12 and 14 have limited 
capacity. Thus, it is desirable for the e-cash transactions of 
the present invention to require only limited numbers of real 
time operations at the money modules. 

14 
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The network 10 also includes a certificate authority station 
32. The certificate authority station 32 includes a server 34 
and a memory 36. The server 34 is connected to the telephone 
network 36 by the link 38. 
5 The network 10 also includes a bank station 40. The bank 

station comprises a server 42 and a memory 44. The server 42 is 
connected by the link 46 to the telephone network 26. 

The network 10 of Fig. 1 is illustrative only. While only 
two money modules 12 and 14 belonging to users i and j are shown, 
10 a network for using e-cash may include a large number of such 
money modules. In addition, there may be more than one bank. 

B. Money Format 

As indicated above, each user i has a public key 

15 Pj = a si mod p where a and p are universally known and Si is a 

secret key. The secret key Si includes the identity l i of user 
i. Illustratively, Sj = (I*, RJ , where R A is a random string of 
bits known only to the user i. In addition, the user i has a 
certificate cert(i) which certifies that P 4 has the identity I t 

20 contained within the exponent Si. This format is important for 
the exposure of a double spender of a particular e-coin. 
Illustratively, the certificate cert(i) is the signature of a 
certificate authority on (Pi, 0 T ) , where 0 Y denotes a run of y 
zeroes and 30 < y < 50. For example, cert(i) s (P i ,0 Y ) dc mod N c , 

25 where d c is the secret RSA exponent of the certificate authority 
and N c is the modulus of the certificate authority. A detailed 
process for obtaining the certification is described below in 
connection with Fig. 6. 

A coin of user i has the form (Pi,u,C) where the certified 

30 linkage C=(f (P^u, 0 Y ) d$ ) modN $ , where u s <x r mod p, r is a random 

element chosen by i separately for each coin and known only to i. 
The exponent d $ is a secret RSA exponent of a bank for a 
particular coin denomination, and N $ is the bank modulus. The 
bank also has a public .RSA exponent e $ such that (m dS ) e$ mod N $ s 

35 m, for all m. 
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C . Payment Transaction 

One transaction which can be performed using the e-cash of 
the present invention is a payment transaction. The payment 
transaction involves communication between the money module 12 
5 belonging to a payer i and a money module 14 belonging to the 
payee j . These communications take place via the telephone 
network 26 or the wireless link 30. The computations required in 
the payment transaction are performed in the CPU's 18 and 2 0 of 
the money modules 12, 14. 
10 The payment operation is illustrated in Fig. 2 and comprises 

the following steps: 

1. The payer i transmits a coin (P 1# U/C) where the 
certified linkage C=(f(P i/ u, 0 Y ) d$ modN $ to the payee j. 

2. The payee j verifies the coin by verifying the banks 
15 RSA signature, i.e., by verifying that 

C e$ s (P i7 u, 0 Y ) mod N $ . If the verification fails, the 
payment operation is aborted. 

3. If the verification is successful, the payee j picks a 
random message m. 

20 4. The random message m is transmitted from the payee j to 

the payer i . 

5. The payer i generates an El Gamal signature s=(u,v) on 
the message m using P it S if and u. As indicated, Pi and 
S t have the form of El Gamal public and secret keys. 

25 (Alternatively, an NIST-DSS or Schnorr signature or 

other scheme from the El Gamal family may be used) . 

6. The El Gamal signature s is transmitted from the payer 
to the payee j . 

7. The payee j verifies the El Gamal signature s=(u,v). 
30 If the signature s is not verified positively, the 

payment operation is aborted. If the signature is 
verified positively, the payee j stores the coin 
{P it u,C) , signature s, and the message m in the memory 
22. 
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It should be noted that the payee j never learns the 
identity I t of the payer i because there is no easy way to 
correlate the public key Pi with the identity l i if p is large 
enough. Thus, privacy of the payer i is maintained. 

D. Deposit Transaction 

Fig. 3 shows a transaction wherein the payee j deposits the 
coin (P it u,C) received from the payer i in the bank 40. To carry 
out the deposit operation, the money module 14 of the payee j and 
the bank 40 communicate via the public switched telephone network 
26. The steps in the deposit transaction are as follows: 

1. The payee j transmits the coin C and the El Gamal 
signature s received from -the payer i, as well as the 
message m, to the bank 40. 

2. The bank verifies the coin by verifying that C e$ mod N s 
= f (Pi, u, 0?) . 

3. The bank maintains a list of deposited coins. For each 
coin, the list includes a message and an El Gamal 
signature obtained on the message using the El Gamal 
key and value of u inside the coin. This list is 
stored in the memory 44. (An expiration date may be 
added to the coins to limit the size of this list). 

4. Using the server 42, the bank 40 compares the coin 
(Pi,u,C) to the list of already deposited coins stored 
in the memory 44. If a collision is found, double 
spending is detected. Then the identity Ii of the 
payer i is determined. The identity can be determined 
because two El Gamal signatures on different messages 
but using the same P t and u result in exposure of the 
secret key Because Si contains I^then I A is also 
exposed. This was proven in connection with equations 
(2) and (3) above. If the coin C is not found in the 
list, the payer's signature s is verified. Then the 
coin (p^U/C) and associated El Gamal signature s and 
message m are added to the list maintained at the bank. 

17 



WO 95/23465 PCT/US95/02007 

5. The payee j has its balance updated by the bank. 

It should be noted that the deposit operation does not 
reveal the identity I { of the payer i unless the payer is a 
double spender. 

5 

E. Exchange Transaction 

Another transaction which can be performed using the e-cash 
of the present invention is an exchange transaction. The 
exchange transaction involves a user depositing old e-coins with 

10 the bank and withdrawing new e-coins in the same total amount. 
The purpose of the exchange operation is to perpetuate the 
privacy of the payer i and payee j . Illustratively, the exchange 
transaction is performed by communication between the money 
module 14 of the user j and the bank 40 using the public switched 

15 telephone network 26. As shown in Fig. 4, the steps involved in 
the exchange operation are as follows: 

1) The payee j sends to the bank the used coin 
(P w u # C), where the certified linkage C = {f(P i# u,0 Y )) d$ 
mod N s , received from payer i and the El Gamal 

2 0 signature s received from payer i along with the 

message m. 

2) The bank verifies the coin by verifying C e$ mod N$ 
• = f (P., u,0?) . 

3) The bank compares the coin (P^UfC) to a list of 
25 already deposited coins stored in the memory 44. If a 

collision is found, double spending is detected. Then 
the identity of the double spender is determined in the 
same manner as for the deposit transaction discussed 
above. If the coin C is not found in the list, the 
30 payer's signatures s is verified and the coin C is 

added to the list maintained by the bank. 

4) A certificate, cert(j) = (f(P j7 0 T )) dc mod N c and 
u r ee a r " mod p are transmitted from the payee j to the 

t bank . 
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5) The bank verifies the certificate and forms a new 
certified linkage C' to the user j , who then 
formats a new coin (P^u^C') 
Note: For this operation the bank never learns the identity 
of the payer i or the payee j . Nor can the bank associate the 
coin (Pj,u',C') with any particular user as the coin 
C circulates. The reason for this is that the bank has no way to 
correlate P- x or Pj with I t or Ij . 

The above described three transactions - payment, deposit, 
exchange - are all performed in real time and require a minimum 
amount of operations at the money modules. 

F. Withdrawal Transaction 

Another transaction which can be performed using the e-money 
of the present invention is withdrawal from the bank. 
Illustratively, the user i uses. the money module 12 to 
communicate with the bank 40 via the telephone network 26 to 
perform the withdrawal operation. The steps in the withdrawal 
operation are shown in Fig. 5 and described below. 

1) The user i transmits its identification I it an account 
number and a value to be withdrawn to the bank. 

2) The bank verifies the identification Ii and checks the 
account balance . 

3) The user i picks a random x and forms a blinded 
candidate linkage W=x eS <Pi/U, 0?) mod N s and transmits the 
blinded candidate linkage to the bank. 

4) The user i proves to the bank that Pj s a si mod p is 
properly formatted and that Si includes Ii. This is 
done using a zero knowledge proof, or a cut-and-choose 
technique, for example, so that the bank does not learn 
P^ Thus, the bank cannot correlate Pi and the 
identity of i. Therefore, the privacy of user i is 
preserved. 
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5) If the bank rejects the proof, the operation is halted. 
Otherwise the bank forms W d5 = xf ( P t , u , 0 T ) ds mod N s and 
transmits this quantity to the user. 

6) The user then forms the coin (Pi,u,C) using the linkage 

s f (P i/U/ 0 Y ) ds mod N $ 
It should be noted that the withdrawal operation is more 
complex than the exchange operation because the user i must prove 
that Pi as incorporated in the blinded candidate linkage is 
properly formatted without revealing Pj . It is expected that the 
withdrawal operation may be avoided most of the time. The reason 
that the withdrawal operation can be avoided is that e-coins can 
be traded for traceable e-money such as e-checks and then the 
exchange operation can be utilized. 

G. Certification Operation 

As indicated above, the e-money system of the present 
invention makes use of a certification of the key Pj . The 
certification is carried out off-off line by the certificate 
authority. The money module of a user i communicates with the 
certificate authority 32 via the telephone, network 26. The steps 
in the certification process of Pi are illustrated in Fig. 6 and 
are as follows: 

1. The user picks a random x and forms the blinded 
candidate certificate Z s x ec f (P i7 0 Y ) mod N c . 

The blinded candidate certificate Z is then transmitted 
to the certificate authority along with an identifying 

2. The user, then proves to the certificate authority that 
Pi is formatted correctly using for example a zero 
knowledge proof or cut-and-choose technique so that the 
certificate authority does not learn Pj and therefore 
cannot correlate Pi and I { . 
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3. If the proof is rejected, the certificate operation is 
halted. Otherwise, the certificate authority computes 
Z dc and transmits Z dc to the user i. 

4. The user i then computes cert(i) s Z dc /x = 
f (Pi,0 T ) dc mod N c . 

Using this certification process, the certificate authority 
does not learn Pi and, therefore, cannot correlate Pi and I*. 
This prevents the certificate authority from learning about the 
e-cash transactions performed by the user i, thereby protecting 
the privacy of the user i. 

H. Refresh Operation 

Because it is possible that the correspondence between P> 
and Ii will leak out (e.g. by means external to cryptography), it 
is desirable to refresh the P d and cert (i) periodically. The 
refresh operation is illustrated in Fig. 7 and the steps may be 
described as follows: 

1) The user picks a random x. 

2) The user selects a new key 

Pi ' = a si ' mod p, S/ = di, R/), where R/ is a fresh 
string of random bits selected by the user i. Using 
the key Pi', a new candidate certificate f (P/, 0 V ) is 
selected. The new candidate certificate is blinded by 
computing Y = x GC f (P^O*) . Y and the old certificate 
cert (i) are transmitted to the certificate authority. 

3) The user i proves to the certificate authority that P { 
and Pi' contain the same I it using for an example, a 
zero knowledge proof or cut and choose technique so 
that the certificate authority cannot correlate Pi or 
Pi' with Ii. 

4) If the certificate authority rejects the proof the 
operation is halted. Otherwise the certificate 
authority computes (Y) dc and transmits this value to 
the user i. 

5) The user i then computes a new certificate 
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cert 2 (i) s (Y) dc /x sf (p i# 0 Y ) dc mod N $ . 

In short, a unique electronic cash system has been 
disclosed. The electronic cash system of the present invention 
protects the privacy of users in legitimate transactions, while 
at the same time permitting the identity of a double spender of a 
particular electronic coin to be revealed. These highly 
beneficial results are achieved through the use of the El Gamal 
signature scheme and other public key cryptographic techniques. 

It should be noted that while certain operations utilized in 
connection with the invention have been described herein through 
use of the RSA public key cryptographic technique, other public 
key cryptographic techniques such as Rabin modular square roots 
may be used in place of RSA. 

Finally, the above described embodiments of the invention 
are intended to be illustrative only. Numerous alternative 
embodiments may be devised by those skilled in the art without 
departing from the spirit and scope of the following claims. 
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CLAIMS 

1. A method for using electronic cash to perform a 
transaction comprising the steps of 

transmitting via a communications link from a first 
5 electronic coin processing unit to a second electronic coin 
processing unit an electronic coin comprising a linkage of a 
public key of a party and a random element, said linkage being 
signed using a secret operation of a public key cryptographic 
system. 

10 2. The method of claim 1 wherein said public key has the 

form 

Pi = a si mod p 
where Pi is a public El Gamal Key of a party i, Si is a 
secret El Gamal Key of the party i which includes an identity I t 
15 of the party i, and p and a are publicly known numbers, wherein 
said random element has the form u=a r mod p, and where r is a 
random number chosen by the party i . 

3. The method of claim 1 wherein said linkage is signed 
using an RSA secret exponent of a bank. 
20 4. The method of claim 1 wherein said transmitting step 

comprises transmitting said electronic coin via a wireless link. 

5. The method of claim 1 wherein said transmitting step 
comprises transmitting said electronic coin via a public switched 
telephone network. 
25 6. The method of claim 1 wherein said first electronic 

coin processing unit is a first money module belonging to a first 
party i . 

7. The method of claim 6 wherein said first money module 
comprises a central processing unit and a memory. 
30 8. The method of claim 6 wherein said second electronic 

coin processing unit is a second money module belonging to a 
second party j . 

9 . The method of claim 8 wherein said transaction 
comprises transmitting said coin from said first money module of 
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said first party i to said second money module of said second 
party j . 

10. The method of claims 9 further comprising the steps of 

a) transmitting a message m from the party j to the 
party i, 

b) signing the message m at the party i with a 
signature from the El Gamal family, 

c) transmitting the signature to the party j, and 

d) verifying the signature at the party j 

11. The method of claim 8 wherein said second money module 
comprises a central processing unit and a memory. 

12 . The method of claim 1 wherein said first electronic 
coin processing unit is a money module belonging to a party j and 
said second electronic coin processing unit is a bank. 

13 . The method of claim 12 wherein said transmitting step 
comprises transmitting said electronic coin from said party j to 
said bank. 

14. The method of claim 13 wherein said public key in said 
electronic coin transmitted from said party j to said bank is the 
public key of a party i who transferred the coin to the party j . 

15. The method of claim 14 further comprising the steps of 
transmitting from said party j to said bank an El Gamal family 
signature of the party i on a message m and said message m. 

16. The method of claim 15 further comprising the steps of 

a) maintaining in a memory at said bank a list of 
coins and corresponding El Gamal family 
signatures, 

b) comparing said coin transmitted to said bank from 
said party j with the coins in said list, 

c) if there is a collision between said coin, 
transmitted from said party j and a coin on said 
list, utilizing the El Gamal family signature 
transmitted from the party j and the El Gamal 
family signature of the coin in the list to 
identify a double spender. 
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17 . The method of claim 16 further comprising the steps of 

d) transmitting to said bank from the party j a 
certificate of a public key of the party j, and 

e) transmitting from the bank to the party j a new 
coin equal in value to the coin originally 
transmitted from the party j to the bank. 

18. A method for detecting the double spending of a 
particular electronic coin in an electronic coin system where 
each of the coins comprises a certified linkage of a public key 
Pi of a user i in which the identity I { of the user i is 
embedded. 

said method comprising the steps of 

a) storing in a memory a list of coins, corresponding 
messages m, and El Gamal family signatures s on 
the messages m obtained using the public key and 
random elements in the coins, 

b) using an electronic processor, comparing said 
particular coin to the coins on the list, and 

c) if there is a collision between said particular 
coin and a coin on said list, using a particular 
El Gamal family signature of said particular coin 
on a particular message and the El Gamal family 
signature and message of said coin on said list to 
identify a double spender. 

19. The method of claim 18 wherein said certified linkage 
is of the form Csf {p i# u,0 T ) d $ mod N s 

where Pi is said public key of said user i. 

u is said random element. 
0 Y is a string of y zeros . 
d $ is the secret RSA exponent .of a bank 
N $ is a modulus of the bank. 

20. The method of claim 18 wherein said public key P t is of 
the form 

Pi=5 si mod p, 
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where si is a secret key of the user i and includes the identity 
Ij of the user i, 5 and p are publicly known numbers and said 
random element is of the form u- 8 r mod p where r is a random 
chosen number. 

21. A method for electronically withdrawing an electronic 
coin from a bank comprising the steps of 

a) using a processor in a money module of a user i, 
performing a blinding operation to blind a 
candidate linkage, which blinded candidate linkage 
includes a public key of the user i of the form P { 
s a Sl mod P/ where S £ is a secret key of the user 

i and contains an identity Ii of the user i, and a 
and p are publicly known numbers, 

b) transmitting via a communication link from the 
user i to the bank the identity of the user i and 
the blinded candidate linkage, ) 

c) said money module of said user i providing an 
indication to said bank that Pi has said form 
without revealing P i to said bank, 

d) utilizing a processor at said bank, signing said 
blinded candidate coin using a secret key of said 
bank and transmitting the signed blinded candidate 
linkage to said user i, and 

e) at said user i, generating a coin from the signed 
blinded candidate linkage. 

22 . The method of claim 18 wherein said certified linkage 
is of the form Csf (p. , u, 0 Y ) d s mod N $ 

where P t is said public key of said user i. 

u is said random element. 
0 Y is a string of 7 zeros . 
d $ is the secret RSA exponent of a bank 
N $ is a modulus of the bank. 

23 . The method of claim 18 wherein said public key Pi is of 
the form 
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Pi=8 si mod p, 

where si is a secret key of the user i and includes the identity 
Ij of the user i, 8 and p are publicly known numbers and said 
random element is of the form u= 8 r mod p where r is a random 
5 chosen number. 

24. A method for certifying a public key of a user of an 
electronic cash system comprising the steps of 

a) utilizing an electronic processor of a user, 
performing a blinding operation on a candidate 

10 certificate to generate a blinded candidate 

certificate, said blinded candidate certificate 
including a public key of a user i of the form 
= Ct s * mod p, where is a secret key of the user 
i containing an identity I i of the user i,and a 

15 and p are publicly known numbers, 

b) transmitting via a communication link, said 
blinded candidate certificate to a certificate 
authority, 

c) transmitting via said communication link an 

20 indication to said certificate authority that Pi 

contains I { without revealing P A to the 
certificate authority, 

d) utilizing a processor at said certificate 
authority, signing said blinded candidate 

25 certificate using a secret key of said certificate 

authority and transmitting the signed blinded 
candidate certificate to said user i, and 

e) at said user i, generating a certificate from said 
signed blinded candidate certificate. 
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25. The method of claim 37 wherein said candidate 
certificate has the form f(Pj, 0 Y ) . 

26. A method for refreshing a certificate of a public key 
of a user in an electronic cash system comprising the steps of: 
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(a) transmitting from a user i to a certificate 
authority an old certificate of an old public key- 
Pi of the form P i = a si mod p, where S £ is an old 
secret key that includes an identity of the 

5 user i, and a and p are public integers, 

(b) at the user i, using an electronic processor, 
selecting a new public key Pj' = cc si ' mod p where 

is new secret key including the identity I {l 
and forming a blinded candidate refresh 
10 certificate including said new key Pi', 

(c) transmitting from said user i to said certificate 
authority said blinded candidate refresh 
certificate, 

(d) transmitting to said certificate authority an 
15 indication that Pi' contains the same I { as Pi 

without revealing P { to said certificate 
authority, 

(e) utilizing an electronic processor' at said 
certificate authority, signing said blinded 

2 0 candidate refresh certificate using a secret key 

of the certificate authority and transmitting the 
signed blinded candidate refresh certificate to 
the user i, and 

(f) at said user i, generating a refresh certificate 
25 from said signed blinded candidate refresh 

certificate. 
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(1) 
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{(S^.^JIi = !■•■*} 




e = (ei •••ei) 


(3) 




(4) 


{(x£ t /$)|j = 






(5) 




Verify: 






By s.v. (r^J- • /((a*')<"U), J = 1 ■• ■* 


(6) 








(7) 






(8) 
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(9) 


Make anonymous call to CA. 






(10) 






Verify (partial) structure and signature. 


(ID 






(12) 


For; = !•••* 






prove that in S$f'* 
ail the I-fields except the j'th 
are zeroes. 




Verify 


(13) 




0 


S 3*r. (/«n'-i ^ "od p), 
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